Microsoft warns of easy Windows domain takeover via Active Directory bugs
UK govt shares 585 million passwords with Have I Been Pwned
FBI: State hackers exploiting new Zoho zero-day since October
Log4j vulnerability now used to install Dridex banking malware
Fix your home Wi-Fi with this 4.3 Gbps mesh router, now just $245
Microsoft warns of easy Windows domain takeover via Active Directory bugs
Meta sues people behind Facebook and Instagram phishing
FBI: State hackers exploiting new Zoho zero-day since October
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
FBI: State hackers exploiting new Zoho zero-day since October
The Federal Bureau of Investigation (FBI) says a zero-day vulnerability in Zoho’s ManageEngine Desktop Central has been under active exploitation by state-backed hacking groups (also known as APTs or advanced persistent threats) since at least October.
“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI’s Cyber Division said [PDF].
“The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.”
The security flaw, patched by Zoho in early December, is a critical authentication bypass vulnerability attackers could exploit to execute arbitrary code on vulnerable Desktop Central servers.
CISA added CVE-2021-44515 to its Known Exploited Vulnerabilities Catalog on December 10, requiring federal agencies to patch it before Christmas under Binding Operational Directive (BOD) 22-01.
After patching the vulnerability, the company also warned customers of ongoing exploitation attempts urging them to immediately deploy the security updates to block incoming attacks.
“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” Zoho said.
To detect if your server was breached using this security flaw, you can use Zoho’s Exploit Detection Tool and go through the steps detailed here.
The company advises backing up critical business data, disconnecting impacted network systems, formatting all compromised servers, restoring Desktop Central, and updating to the latest build.
If signs of compromise are found, Zoho recommends initiating a password reset “for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine,” together with Active Directory administrator passwords.
According to Shodan, there are over 2,900 ManageEngine Desktop Central instances exposed to incoming attacks.
In recent years, Zoho ManageEngine servers have been under constant targeting, with Desktop Central instances, for instance, having been hacked and access to their networks sold on hacking forums since July 2020.
Between August and October 2021, Zoho ManageEngine installations have also been attacked by nation-state hackers using tactics and tooling similar to those employed by the Chinese-linked APT27 hacking group.
In these attacks, the threat actors focused their efforts on breaching the networks of critical infrastructure organizations worldwide in three different campaigns.
They first used an ADSelfService zero-day exploit between early August and mid-September, then switched to an n-day AdSelfService exploit until late October, and moved to a ServiceDesk one starting with October 25.
Following these campaigns, the FBI and CISA issued joint advisories (12) warning of APT actors exploiting these ManageEngine flaws to drop web shells on the networks of breached critical infrastructure orgs, including healthcare, financial services, electronics, and IT consulting industries.
Hackers use in-house Zoho ServiceDesk exploit to drop webshells
Microsoft: Iranian state hackers increasingly target IT sector
FBI warns of APT group exploiting FatPipe VPN zero-day since May
New zero-day exploit for Log4j Java library is an enterprise nightmare
Microsoft seizes sites used by APT15 Chinese state hackers
Not a member yet? Register Now
Upgraded to log4j 2.16? Surprise, there’s a 2.17 fixing DoS
New stealthy DarkWatchman malware hides in the Windows Registry
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Phishing attacks impersonate Pfizer in fake requests for quotation

Microsoft warns of easy Windows domain takeover via Active Directory bugsUK govt…

Emotet now spreads via fake Adobe Windows App Installer packages

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangsEwDoor botnet targets…

US indicts Iranian hackers for Proud Boys voter intimidation emails

US regulators order banks to report cyberattacks within 36 hoursHackers deploy Linux…

US targets DarkSide ransomware, rebrands with $10 million reward

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…